pods is forbidden: User tote-admin cannot list resource pods in API group at the cluster scope

huangapple go评论58阅读模式
英文:

pods is forbidden: User tote-admin cannot list resource pods in API group at the cluster scope

问题

我正在在我的kubeadm Kubernetes集群中创建一个名为tote的新用户。首先,我创建了一个密钥:

openssl genrsa -out tote.key 2048

然后,我创建了一个CSR:

openssl req -new -key tote.key -subj "/CN=tote-admin" -out tote.csr

最后,我正在按照kubernetes文档中的这里的说明操作:

A)我创建了一个证书签名请求清单:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: tote
spec:
  request: XXXXXX(生成的CSR的base64编码)
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth

B)使用kubectl批准CSR:

kubectl certificate approve tote

C)生成tote用户的crt证书:

kubectl get csr tote -o jsonpath='{.status.certificate}' | base64 -d > tote.crt

最后,当尝试使用tote用户的apiserver URL列出pods时,它给出以下错误:

curl https://172.31.127.100:6443/api/v1/pods --key tote.key --cert tote.crt --cacert /etc/kubernetes/pki/ca.crt

响应如下:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "pods is forbidden: User \"tote-admin\" cannot list resource \"pods\" in API group \"\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "kind": "pods"
  },
  "code": 403
}

有什么帮助可以解决这个问题并允许用户tote访问pods吗?

英文:

I am creating a new user in my kubeadm kubernetes cluster named tote. so first I created a key:

openssl genrsa -out tote.key 2048

Then I created a CSR:

openssl req -new -key tote.key -subj "/CN=tote-admin" -out tote.csr

Finally, I am following kubernetes docs in here so:

A) I create a certificate signing request manifest:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: tote
spec:
  request: XXXXXX (based64 of the generated CSR)
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth

B) Approve the CSR using kubectl:

kubectl certificate approve tote

C) Produce the crt certificate for tote user:

kubectl get csr tote -o jsonpath='{.status.certificate}'| base64 -d > tote.crt

Finally, when trying to list pods using apiserver url using tote user, it gives me error as the following:

curl https://172.31.127.100:6443/api/v1/pods --key tote.key --cert tote.crt --cacert /etc/kubernetes/pki/ca.crt

And the response:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "pods is forbidden: User \"tote-admin\" cannot list resource \"pods\" in API group \"\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "kind": "pods"
  },
  "code": 403

Any help how to resolve this issue and allow user tote to access pods?

答案1

得分: 1

  1. 看起来您的身份验证正在工作,但用户缺少必要的权限。您需要为您使用的用户创建RBAC权限。请参考使用RBAC授权

  2. 也尝试从.kube/config文件中捕获证书。
    像客户端密钥数据:

    echo -n "LS0....Cg==" | base64 -d > admin.key

客户端证书数据:

echo -n "LS0...C==" | base64 -d > admin.crt

证书颁发机构数据:

echo -n "LS0...g==" | base64 -d > ca.crt

然后使用以下命令:

curl https://172.31.127.100:6443 \
--key admin.key \
--cert admin.crt \
--cacert ca.crt
英文:
  1. Looks your Auth working, but user doesn't have the necessary permissions. You need to create RBAC permissions for the user you use. Refer to Using RBAC Authorization

  2. And also try capturing certs from the .kube/config file.
    Like client-key data :

    echo -n "LS0....Cg==" | base64 -d > admin.key

Client-certificate-data :

echo -n "LS0...C==" | base64 -d > admin.crt 

Certificate authority-data :

echo -n "LS0...g==" | base64 -d >ca.crt 

Then use, curl https://172.31.127.100:6443 \
--key admin.key \
--cert admin.crt
--cacert can.crt

huangapple
  • 本文由 发表于 2023年5月30日 06:12:42
  • 转载请务必保留本文链接:https://go.coder-hub.com/76360582.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定